In many ways, auto lenders are exempt from a new California consumer privacy law — but experts still advise that lenders scour their data inventory before counting themselves out of the law's scope.
The California Consumer Privacy Act, effective this coming Jan. 1, affects all businesses in California meeting certain thresholds, including many auto companies.
Among other requirements, the law orders businesses to honor consumers' demands to access personal information collected about them, know whether their personal information is sold or disclosed and to whom, and opt out of the sale or sharing of personal information. Consumers can also demand that a business and its affiliates, such as vendors, delete their personal information.
But personal information that is collected to comply with the federal Gramm-Leach-Bliley Act, which lenders must follow, is exempt from the disclosure and deletion requirements in the California Consumer Privacy Act. Under the Gramm-Leach-Bliley Act, financial institutions must have a security plan to protect the confidentiality and integrity of consumers' personal information. It requires companies to give consumers privacy notices that explain their information-sharing practices.